Upload
becca-marquez
View
171
Download
4
Embed Size (px)
DESCRIPTION
HIPAA training
Citation preview
Module 1: State Attorneys GeneralModule 1: State Attorneys GeneralModule 1: State Attorneys General Module 1: State Attorneys General Enforcement of Federal Health Enforcement of Federal Health
Privacy LawPrivacy Law
HIPAA Enforcement Training for State Attorneys General
Module IntroductionModule Introduction
Module 1: Introduction
This module of the HIPAA Enforcement Training for State Attorneys General (SAG) provides an overview of:overview of:
• ARRA/ HITECH’s impact on SAG
• HIPAA rules and terminologyHIPAA rules and terminology
• Identifying potential HIPAA violations
• Investigating potential HIPAA violationsInvestigating potential HIPAA violations
HIPAA Enforcement Training for State Attorneys General 2
Module ObjectivesModule Objectives
Module 1: Objectives
After completing this module, you will be able to:
• Discuss your authority under ARRA/HITECH
• Define terminology and the premise of the Privacy Rule
• Explain the purpose of the Security Rule
• Identify potential HIPAA violations and your role in investigating alleged violations
HIPAA Enforcement Training for State Attorneys General 3
Lesson 1: ARRA/HITECH’s Impact on Lesson 1: ARRA/HITECH’s Impact on State Attorneys GeneralState Attorneys General
Module 1Module 1
Lesson 1: Objectives
After completing this lesson, you will be able to:
• Describe SAG authority for enforcement of HIPAA d ARRA/HITECHHIPAA under ARRA/HITECH
• Discuss the effect of ARRA/HITECH on how HIPAA li t b i i t d b hHIPAA applies to business associates and breach notifications
HIPAA Enforcement Training for State Attorneys General 4
Lesson 1: ARRA/HITECH’s Impact on Lesson 1: ARRA/HITECH’s Impact on State Attorneys GeneralState Attorneys General
Module 1Module 1
Topic 1: Overview of ARRA/HITECH Requirements
ARRA addresses health information technology:
• Title XIII and Title IV of Division B are known th H lth I f ti T h l fas the Health Information Technology for
Economic and Clinical Health (HITECH) Act
S btitl D f HITECH dd h lth i f ti i• Subtitle D of HITECH addresses health information privacy
• Effective Date: February 17, 2009
HIPAA Enforcement Training for State Attorneys General 5
Lesson 1: ARRA/HITECH’s Impact on Lesson 1: ARRA/HITECH’s Impact on State Attorneys GeneralState Attorneys General
Module 1Module 1
Topic 2: Overview of SAG Role in HIPAA Enforcement Under ARRA/HITECH
• Subtitle D § 13410 ‐ Improved Enforcement
• SAG may bring civil actions for alleged violations of HIPAA Privacy and Security on behalf of state residents
• ARRA/HITECH instituted federal breach notification requirements
• Extended liability under HIPAA Rules to Business Associates of Covered Entities
HIPAA Enforcement Training for State Attorneys General 6
Lesson 1: ARRA/HITECH’s Impact on Lesson 1: ARRA/HITECH’s Impact on State Attorneys GeneralState Attorneys General
Module 1Module 1
Topic 3: SAG HIPAA Enforcement Action
Activity 1: State of Connecticut case
• Take about 10 minutes to read paragraphs I‐IVIV
• Located on page 1 of your Appendix
• Keep in mind the various elementsp
HIPAA Enforcement Training for State Attorneys General
7HIPAA Enforcement Training for State Attorneys General
Lesson 1: ARRA/HITECH’s Impact on Lesson 1: ARRA/HITECH’s Impact on State Attorneys GeneralState Attorneys General
Module 1Module 1
Lesson 2: Objectives
After completing this lesson, you will be able to:
• Describe the HIPAA statute and regulations
• Explain the purpose and function of the HIPAA Privacy Rule
• Discuss the purpose and function of the HIPAA Security Rule
HIPAA Enforcement Training for State Attorneys General 8
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 1 Overview
Topic 1 will address these questions:
• Why HIPAA
• What is HIPAA
• Who is regulated and protected
• What information
• How – rule makingHow rule making
9HIPAA Enforcement Training for State Attorneys General
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 1: Why HIPAA?
• The potential consequences of not protecting privacy or security can be severebe severe
• In 1996, Congress passed HIPAA, which includes provisions callingwhich includes provisions calling for privacy and security protections
HIPAA Enforcement Training for State Attorneys General 10
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 2: What is HIPAA?
HIPAA Enforcement Training for State Attorneys General 11
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1
Topic 2: What is HIPAA? (continued)
Title II: Subtitle F – Administrative Simplification
• Encourages efficiencies in exchange of health information
• Requires HHS to adopt standards for electronic transmission of certain health information
Title II, Subtitle F, Section 264, Recommendations with Respect to Privacy of Certain Health Information:
• Requires Secretary of HHS to establish standards with respect to privacy of individually identifiable health i f ti if C d t d i 3information if Congress does not do so in 3 years
HIPAA Enforcement Training for State Attorneys General 12
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Title II: Preventing Health Care Fraud and Abuse;Topic 2: What is HIPAA? (continued)Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification
HIPAA Enforcement Training for State Attorneys General 13
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 2: What is HIPAA? (continued)
Standard Transactions:• Health care claims or equivalent encounter
information• Referral certification and authorization• Health care claim status• Health care payment and remittance• Health care payment and remittance
advice• Eligibility for a health plan
E ll t d di ll t i h lth l• Enrollment and disenrollment in a health plan• Health plan premium payments• Coordination of benefits
Reference: 45 CFR § 162.1101HIPAA Enforcement Training for State Attorneys General 14
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Covered EntitiesTopic 3: HIPAA RulesCovered EntitiesA covered entity is:• A health planA health plan
• A health care clearinghouse
• A health care provider who transmits any health information p yin electronic form in connection with a covered transaction—one for which the HHS Secretary has adopted standards
lExamples:
• Requesting payment
• Inquiring regarding the status of a health care claim• Inquiring regarding the status of a health care claimReference: 45 CFR §160.103
HIPAA Enforcement Training for State Attorneys General 15
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 3: HIPAA Rules (continued)
More Information on Health Plans
A Health Plan includes:
• Health insurance companies
• Health Maintenance Organizations (HMOs)
• Group health plans (e.g. employer‐sponsored health plans)
• Government programs that pay for health care:– Medicare & Medicaid
– Military & veterans health care programs
HIPAA Enforcement Training for State Attorneys General 16
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 3: HIPAA Rules (continued)
More Information on Health Care Clearinghouses
Health care clearinghouses:
• Receive health information from other entities
• Process or facilitate the processing of health information to or from non‐standardinformation to or from non standard formats to or from standard formats
HIPAA Enforcement Training for State Attorneys General 17
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
( )
Topic 3: HIPAA Rules (continued)
Individually Identifiable Health Information (IIHI)
As defined in HIPAA & the Privacy R l IIHI iRule, IIHI is:
Health information (including demographic informationdemographic information collected from an individual) if it is created or received by a health care provider, health plan, employer, or health care clearinghouse...
HIPAA Enforcement Training for State Attorneys General 18
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
( )
Topic 3: HIPAA Rules (continued)
Individually Identifiable Health Information (IIHI) (continued)
…and relates to the:
• Past, present, or future physical or mental health or condition of an individualcondition of an individual
• Provision of health care to an individualindividual
• Past, present, or future payment for the provision of health care to an individual p
HIPAA Enforcement Training for State Attorneys General 19
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
( )
Topic 3: HIPAA Rules (continued)
Individually Identifiable Health Information (IIHI) (continued)
Information categorized as IIHI must also satisfy the criteria of id tif i th i di id l idi bl b i tidentifying the individual or providing a reasonable basis to believe it can be used to identify the individual.
A patient’s name contact information and account numbers areA patient s name, contact information, and account numbers are generally considered to be individual identifiers and if created or received by a covered entity would be IIHI.
Reference: 45 CFR § 160.103
HIPAA Enforcement Training for State Attorneys General 20
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
( )
Topic 3: HIPAA Rules (continued)
Protected Health Information (PHI)
Protected health information means i di id ll id tifi bl h lth i f tiindividually identifiable health information:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in any medium described in the definition of felectronic media at 45 CFR § 160.103 of this subchapter; or
(iii) Transmitted or maintained in any other form or medium.
HIPAA Enforcement Training for State Attorneys General 21
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
( )
Topic 3: HIPAA Rules (continued)
Protected Health Information (PHI) (continued)
(2) Protected health information excludes individually id tifi bl h lth i f ti iidentifiable health information in:
(i) Education records covered by the Family Educational Rights and Privacy Act (FERPA) as amended 20 U S CRights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g; and records described at 20 U.S.C. 1232g(a)(4)(B)(iv)
(ii) Employment records held by covered entities in their role as employer
Reference: 45 CFR §160.103HIPAA Enforcement Training for State Attorneys General 22
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 3: HIPAA Rules (continued)
Examples of PHI
• Medical records of patients that i it d id ’ ffivisit a covered provider’s office
• Billing records
• Other records that contain enough information to identify the individual
Reference: 45 CFR § 160.103
HIPAA Enforcement Training for State Attorneys General 23
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
( )
Topic 3: HIPAA Rules (continued)
Electronic Protected Health Information (ePHI)
ePHI is protected health information th t i i t i d ithat is maintained in, or transmitted in electronic media by a covered entity.media by a covered entity.
HIPAA Enforcement Training for State Attorneys General 24
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 3: HIPAA Rules (continued)
Business Associates
• A business associate is a person or entity that performs a f ti ti it b h lf f d tit idfunction or activity on behalf of a covered entity, or provides certain services to a covered entity that involve the use or disclosure of PHIdisclosure of PHI
• Covered entities are generally required to execute a written contract or other written agreement/arrangement with each g / gof their business associates
HIPAA Enforcement Training for State Attorneys General 25
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 3: HIPAA Rules (continued)
Business Associates (continued)
Business associates include individuals or organizations th t d tthat conduct:
– Legal services
Accounting services– Quality assurance
Billi– Accounting services
– Claims processing or administration
– Billing
– Benefits management
Practice management– Data analysis
– Utilization review
– Practice management
– Repricing
HIPAA Enforcement Training for State Attorneys General 26
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 3: HIPAA Rules (continued)
Business Associates (continued)
• Not every entity that a covered entity does business with is a b i i tbusiness associate:– A member of the covered entity’s workforce is not a business associatebusiness associate
– A conduit of PHI (e.g., U.S. Postal Service or a messenger service) is not a business associate
• A covered entity can be a business associate of another covered entity
Reference: 45 CFR § 160.103HIPAA Enforcement Training for State Attorneys General 27
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 4: HIPAA Privacy Rule
Privacy Rule
Full citation:
“Standards for the Privacy of Individually Identifiable Health I f ti Fi l R l ”Information; Final Rule.” 65 Federal Register (FR) 82462 (December 28, 2000) ( , )
HIPAA Enforcement Training for State Attorneys General 28
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 4: HIPAA Privacy Rule (continued)
Privacy Rule (continued)
Modified by:• “Technical Corrections to the Standards for
Privacy of Individually Identifiable Health Information,” 65 FR 82944 (December 29, 2000)
• “Standards for Privacy of Individually Identifiable Health Information,” 67 FR 53182 (August 14, 2002)
• “Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings,” 68 FR 18895 (April 17, 2003)
• “HIPAA Administrative Simplification: Enforcement,” 71 FR 8390 (February 16, 2006)
• “HIPAA Administrative Simplification: Enforcement,” 74 FR 56123 (October, 30, 2009)
HIPAA Enforcement Training for State Attorneys General 29
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 4: HIPAA Privacy Rule (continued)
Privacy Rule (continued)
Incorporated at:
• 45 Code of Federal Regulations (CFR), Part 160 – Includes definitions, preemption provisions, compliance and investigations imposition of civil moneycompliance and investigations, imposition of civil money penalties and procedures for hearings for all Administrative Simplification provisions
• 45 CFR, Part 164, titled “Security and Privacy”
• Subpart A – Includes general provisions, such as definitions p g p ,that apply to both the Privacy and Security Rules
HIPAA Enforcement Training for State Attorneys General 30
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 4: HIPAA Privacy Rule (continued)
Privacy Rule (continued)
45 CFR, Part 164, titled “Security and Privacy”
• Subpart E, among other things:– Establishes standards for use and disclosure of PHI by covered entitiesentities
– Establishes individuals’ rights with regard to their PHI– Sets out general rule that covered entities/business associates may only use and disclose PHI as permitted or required by themay only use and disclose PHI as permitted or required by the HIPAA Privacy Rule
– Provides standards explaining permitted and required uses and disclosuresdisclosures
– Outlines administrative requirements for covered entities
HIPAA Enforcement Training for State Attorneys General 31
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1
Topic 5: HIPAA Security Rule
Security Rule
Full citation:
• “Health Insurance Reform: Security Standards; Final Rule.” 68 FR 8334 (February 20, 2003).
Incorporated at:
• 45 CFR , Part 160, and Subpart C of Part 164, , p
HIPAA Enforcement Training for State Attorneys General 32
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Topic 5: HIPAA Security Rule (continued)
Security Rule (continued)
45 CFR, Part 164, Subparts A and C:
• Address security standards and implementation specifications to protect electronic PHI (ePHI) from unauthorized disclosure or accessunauthorized disclosure or access
• Define three types of safeguards that covered entities are required to have in place to protect ePHI:q p p
– Administrative– Physical
h l– Technical
HIPAA Enforcement Training for State Attorneys General 33
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Lesson 2: Recap
Health Insurance Portability and Accountability Act:
• Title I – HIPAA provides protection against loss of h lth i d t j b l (“ t bilit ”) dhealth insurance due to job loss (“portability”) and addresses fraud and abuse.
• Title II Establishes standards for transmission of• Title II ‐ Establishes standards for transmission of electronic health information– Subtitle F ‐ Recommendations for protection of the privacy of health information
HIPAA Enforcement Training for State Attorneys General 34
Lesson 2: HIPAA OverviewLesson 2: HIPAA OverviewModule 1Module 1
Lesson 2: Recap (continued)
Privacy Rule
• Establishes standards for covered entities to t t PHIprotect PHI
• Establishes individuals’ rights with regard to their PHI
Security Rule
• Establishes security safeguards covered entities are required to have in place to protect ePHI from unauthorized access or disclosure
HIPAA Enforcement Training for State Attorneys General 35
Lesson 3: Identifying Potential Lesson 3: Identifying Potential HIPAA ViolationsHIPAA ViolationsHIPAA Violations HIPAA Violations
HIPAA Enforcement Training for State Attorneys General
Lesson 1: ARRA/HITECH’s Impact on Lesson 1: ARRA/HITECH’s Impact on State Attorneys GeneralState Attorneys General
Module 1Module 1
Lesson 3: Objectives
After completing this lesson, you will be able to:
• Discuss how to identify potential HIPAA violations
• Describe what constitutes a violation of the HIPAA Rules
• Recognize whether or not other cases under SAG investigation may also raise issues under the HIPAA Rules
HIPAA Enforcement Training for State Attorneys General 37
Lesson 3: Identifying Potential Lesson 3: Identifying Potential HIPAA Violations HIPAA Violations
Module 1Module 1
Topic 1: Identifying Potential HIPAA Violations
How SAG may learn about violations of HIPAA:
• Monitor local news outlets
• Receive complaints directly
• Whistleblowers
• Referred cases from other agencies
HIPAA Enforcement Training for State Attorneys General 38
Lesson 3: Identifying Potential Lesson 3: Identifying Potential HIPAA Violations HIPAA Violations
Module 1Module 1
Topic 2: Events and Conditions Constituting HIPAA Violations
Inappropriate use or disclosure:
• May be the first indicator ofMay be the first indicator of a HIPAA Privacy or Security Rule violation
• Not required for proving the existence of a HIPAA Privacy or Security Rule violation
• Upon investigation, further HIPAA Privacy or Security i l i b
HIPAA Enforcement Training for State Attorneys General 39
violations may be present
Lesson 3: Identifying Potential Lesson 3: Identifying Potential HIPAA Violations HIPAA Violations
Module 1Module 1
Topic 2: Events and Conditions Constituting HIPAA Violations (continued)Once a violation is suspected or detected, a SAG investigator will want to determine what provision or provisions of the Rules were violated.or provisions of the Rules were violated.
Investigators should keep in mind that the HIPAA Rule requires documentation of the covered entity’s policies and procedures for all standards.
Investigators can look at both whether the policiesInvestigators can look at both whether the policies and procedures met the requirements of the Rules and whether the policies and procedures themselves were followed Also consider whether
HIPAA Enforcement Training for State Attorneys General 40
themselves were followed. Also consider whether or not other related standards may be implicated.
Lesson 3: Identifying Potential Lesson 3: Identifying Potential HIPAA Violations HIPAA Violations
Module 1Module 1
Topic 3: Determining Whether Other Investigations by SAG May Have HIPAA ImplicationsMay uncover violations of HIPAA by re‐examining existing cases.
SAG May Have HIPAA Implications
Examples:• Health care fraud
• Labor and employment
• Adherence to state laws involving health care access and licensure
HIPAA Enforcement Training for State Attorneys General 41
Lesson 3: Identifying Potential Lesson 3: Identifying Potential HIPAA Violations HIPAA Violations
Module 1Module 1
Lesson 3: Recap
Local new stories, residents’ complaints, or current civil or criminal caseloads may reveal a HIPAA violationviolation.
A public exposure of PHI may sometimes, but not always, indicate a failure to comply withnot always, indicate a failure to comply withthe HIPAA Privacy and Security Rules.
HIPAA Enforcement Training for State Attorneys General 42
Lesson 4: Investigating Potential Lesson 4: Investigating Potential HIPAA ViolationsHIPAA ViolationsHIPAA ViolationsHIPAA Violations
HIPAA Enforcement Training for State Attorneys General
Lesson 4: Investigating Potential Lesson 4: Investigating Potential HIPAA ViolationsHIPAA Violations
Module 1Module 1
Lesson 4: Objectives
After completing this lesson, you will be able to:
• Recognize when multiple violations of HIPAA lt f i l i id tresult from a single incident
• Describe the interrelationship of violations of ththe Privacy and Security Rules
HIPAA Enforcement Training for State Attorneys General 44
Lesson 4: Investigating Potential Lesson 4: Investigating Potential HIPAA ViolationsHIPAA Violations
Module 1Module 1
Topic 1: Multiple Violations Resulting from Single Incidents or Programsg
Multiple violations of the various aspects of the Privacy Rule could be uncovered during the investigation of one incident.
HIPAA Enforcement Training for State Attorneys General 45
Lesson 4: Investigating Potential Lesson 4: Investigating Potential HIPAA ViolationsHIPAA Violations
Module 1Module 1
Topic 2: Relationship of Security Violations to Privacy Violations
• A violation of the Security Rule can lead to a violation of the Privacy Rule
• If confidentiality is not protected, privacy can be violated
HIPAA Enforcement Training for State Attorneys General 46
Module Knowledge CheckModule Knowledge Check
Module 1: Knowledge Check
Question 1: Which Act extends enforcement of HIPAA to SAG?
Q ti 2 Wh t l th t PHI b dQuestion 2: What rule says that PHI may be used or disclosed for certain purposes?
Q estion 3 Wh t t d titi h iQuestion 3: What must covered entities have in place to protect PHI?
Question 4: What are some ways that you mightQuestion 4: What are some ways that you might learn of HIPAA violations in your state?
47HIPAA Enforcement Training for State Attorneys General
Module RecapModule Recap
ARRA/HITECH th it t SAG f HIPAA
Module 1: Recap• ARRA/HITECH gave authority to SAG for HIPAA
enforcement at the state level• ARRA/HITECH established new breach notification /
requirements• ARRA/HITECH extended the Privacy and Security
Rules to business associates of covered entitiesRules to business associates of covered entities• HIPAA Title II, Subtitle F, required the Secretary
of HHS to establish security standards, and health privacy standards if Congress did not do so
• The result was the Privacy and Security Rules, which apply to covered entitieswhich apply to covered entities
HIPAA Enforcement Training for State Attorneys General 48
Module RecapModule Recap
N t l t ti l HIPAA
Module 1: Recap (continued)• News reports may reveal potential HIPAA
violations due to a breach• An investigator may establish a fact pattern by g y p y
determining what requirements were not met• An investigation may reveal multiple violations of
both the Privacy Rule and Security Ruleboth the Privacy Rule and Security Rule
HIPAA Enforcement Training for State Attorneys General 49
Module SummaryModule Summary
Module 1: Summary
Having completed this module, you are able to:
• Discuss your authority under ARRA/HITECH
• Define terminology and the premise of the Privacy Rule
• Explain the purpose of the Security Rule
• Identify potential HIPAA violations and your role in investigating alleged violations
50HIPAA Enforcement Training for State Attorneys General